I'm trying to setup an AD domain to manage the security between two Windows Server 2008 webservers that will sooner or later use NLB to balance website requests.

I've hit a problem which I think is a simple solution and is down to DNS.

My website domain is mydomain.com. The two servers are running behind a NAT firewall on the 10.0.0.0 IP range.

I've setup the AD domain to be called ad.mydomain.com (as recommended by MS and a few other answers to questions on here).

The second web server however doesn't want to join the domain, and gives an error pinning the problem on DNS - "ensure that the domain name is typed correctly" even though it queries the SRV record successfully and gets the correct DC back - dc.ad.mydomain.com.

3 Answers
3

It's unclear to me where your domain controller is, on the network, with respect to the web servers.

Here's the easiest thing to do:

The web servers should be using a DNS server hosted by the domain controller (you don't have to do it this way, but it makes life a lot easier). IF they're both behind the same NAT firewall, just configure the web servers to use the DC as their DNS server (and be sure that DNS is installed on the DC). You can configure the DNS server on the DC to either "forward" to your ISP's DNS servers or use "root hints" to do root resolution of unknown names.

If your DC is outside the firewall on a public IP address (<shudder>) then you could put a glue record into the public DNS for that IP address (and think strongly about getting a VPN) delegating the "ad.mycompany.com" zone to that server.

If your DC is behind a different NAT box then prepare for lots and lots of "fun" (or just get a VPN between the webserver LAN and the DC LAN and be done with it).

If everybody is behind the same firewall just use the DNS server on the DC for everybody's DNS and life will be easy.

Hi Evan, thanks for the response. I was hoping you might see this thread as I noticed you replied to numerous other threads on similar topics. The two web servers are both on the same LAN on the same IP range. I can ping to and from both web servers, as well as access file shares on both. The DNS server is on the domain controller. The non-DC web server is using the DC as its only DNS server and I've set the DNS server to forward unfamiliar requests to my ISPs servers. When I do an nslookup from the non-DC server I can successfully resolve the DC server name and the AD domain itself.
–
AntAug 5 '09 at 14:38

(cont'd) - aswell as resolve internet domains. The problem only shows itself when I try to add the non-DC server to the domain. If I use AD's FQDN in the computername/domain changes prompt it thinks about it momentarily before saying 'the AD domain controller could not be contacted'. 'Ensure the domain name is typed correctly'. This is even though I can ping the DC okay. Using the non-fully-qualified domain name for AD it asks for a username/password to join the computer to the domain before it gives a similar DNS-related error message 'an attempt to resolve DC has failed'.
–
AntAug 5 '09 at 14:42

I'm heading into a meeting (yay... writing reports against an SQL database!) but I'll have another look here and give you some ideas shortly. Sounds pretty straightforward and should be working. I'll have to think about what might be wrong to give you some things to check.
–
Evan AndersonAug 5 '09 at 15:18

Okay, well, after 3 or 4 days of intermittently trying different things to make the second server join the domain, I finally (just) found a fix.

I rebooted it.

Somehow, after the reboot, and by doing exactly the same thing as I had every other time, the server joined the domain first time.

The server hadn't been rebooted since it was installed at the start of February, so the reboot must have removed some cached DNS record somewhere (or, something else, somewhere) allowing it to join the domain.

Cheers Sanjay - I should have been clearer. Both computers are on the same NAT'd network. I can ping from one to the other okay, via their IP address and (from non-DC server to DC) via AD dns name.
–
AntAug 5 '09 at 14:51